About

NEW YORK -- Target Chief Information Officer Beth Jacob is resigning effective Wednesday as the retailer overhauls its information security and compliance division in the wake of a massive pre-Christmas data breach.

Target Chairman, President and CEO Gregg Steinhafel said in a statement released to The Associated Press that the company will search for an interim chief information officer who can help guide the company through the transformation.

Jacob had been in her current role since 2008 and oversaw teams in the U.S. and India.

Target (TGT) disclosed on Dec. 19 that the data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. Then on Jan. 10 it said hackers also stole personal information -- including names, phone numbers as well as email and mailing addresses -- from as many as 70 million customers.

Target, based in Minneapolis, also plans to look outside the company for a chief information security officer and a chief compliance officer.

Search Jobs

Before the overhaul, information security functions were split among a variety of executives. Target's new chief information security officer will centralize those responsibilities, the company said.

The previous duties of chief compliance officer were overseen by Target's current vice president of assurance risk and compliance, who had previous plans to retire at the end of March. Now, Target is separating the responsibility for assurance risk and compliance.

Target also says it's working with an outside adviser, Promontory Financial Group, to help it evaluate its technology, structure, processes and talent as part of the overhaul.

"While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly," Steinhafel said in a statement.

Target is still grappling with the fallout of the theft. The company said last week that its profit for the fourth quarter fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers.

While Target said sales have been recovering since it disclosed the breach in mid-December, the company expects business to be muted for some time. It issued a profit outlook for the current quarter and full year that was below Wall Street estimates.

The company is offering free credit monitoring for a year for any customer shopping at a Target store who wants it.

It's also equipping its locations with more security technology. Target is accelerating its $100 million plan to roll out chip-based credit card technology, which experts say is more secure than using traditional magnetic stripe cards.

When the final tally is in, Target's breach may eclipse the biggest known data breach at a retailer, one disclosed in 2007 at TJX (TJX), the parent company of TJ Maxx, that affected 90 million records.

In a posting last week on a company blog, Steinhafel said, "In the weeks ahead, we hope to understand more about how this attack happened. And will use what we learn to inform our guests, make Target a safer place to shop and to drive change across the broader retail industry."

In a letter to Steinhafel furnished by Target, outgoing Chief Information Officer Jacob said resigning was a "difficult decision," but she said that "this was a time of significant transformation for the retail industry and for Target." She didn't mention the data breach.

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.